Efficient Root Finding of Polynomials over Fields of Characteristic 2. Bhaskar Biswas & Vincent Herbert CRI INRIA Paris-Rocquencourt Domaine de Voluceau - Le Chesnay - 78153 - B.P. 105 - France [email protected]; [email protected]

Abstract. Root finding is the most time-consuming stage of McEliece cryptosystem decryption. The best method to find the zeroes of a polynomial for cryptographic parameters is the Berlekamp Trace Algorithm (BTA). Our idea is to mix BTA with ad-hoc methods proposed by Zinoviev. We obtain a significant gain in terms of time complexity for finding roots and so we decrease McEliece decryption time. This paper contains both theoretical and experimental study of this technique.

Keywords: Worst-case complexity, Code-based public-key cryptography, Linearized polynomial, Berlekamp Trace Algorithm, Error locator polynomial, Algebraic decoding algorithm, Binary Goppa codes.

1

Introduction

Root finding of polynomials over finite fields is a classical algebraic algorithmic problem. It is considered as one of the most time-consuming subprocess of the decoding process of Reed-Solomon, BCH and Goppa codes. There are some well known approaches for finding roots of the so-called error locator polynomial. The most widely known root finding algorithm is Chien search method [Chi64], which is an evaluation of the polynomial at all elements of the field, so it has very high time complexity for the case of large fields and polynomials of high degree. Berlekamp Trace Algorithm (BTA) [Ber71] is another well known method. It is a recursive method based on the trace function properties. McEliece cryptosystem is considered as one of the fastest public key schemes and is still esteemed secure for reasonable parameters. The classical [McE78] (described in Appendix A) and hybrid [BS08] McEliece schemes use binary Goppa codes [Gop70]. The decryption process employs an algebraic decoding algorithm which is often broken up in three parts namely: syndrome computation, finding the solution of the key equation,

and the root finding of the error locator polynomial. This last step takes theoretically three fourth of the total decryption time. In this paper, we present a hybrid method involving BTA and a method proposed by Zinoviev [Zin96]. Zinoviev proposed direct root finding procedures for polynomials with degree at most 10. Our idea is to compute directly the roots with Zinoviev procedures up to some degree and to use BTA for greater degrees. Moreover, we improve Zinoviev procedures for polynomials of degree 2 and 3 with time-memory tradeoffs. We analyze both the theoretical complexities and the experimental complexities of our proposal. We obtain a theoretical gain of 93% over Chien method and 46% over BTA. Experimental results confirm theory up to degree 4 at least. For instance with m = 11, t = 32 and dmax = 4, our method takes 60% of the total decryption time with respect to 72% for BTA and 87% for Chien. The paper is structured as follows. In Section 2, we explain our motivation for root finding of polynomials over binary fields. Section 3 is dedicated to related works. In Section 4, we state our proposal and in Section 5, we present the simulation results to back up our proposal.

2

Motivation

Let F2m be the extension field of degree m of the two-element field F2 . We consider a univariate monic polynomial f , of degree t > 0, in the polynomial ring F2m [z]. Without loss of generality, we assume that f has no multiple root and that f factorizes into linear factors over the binary field F2m (e.g. see [LN96]). Our goal is to find an efficient way, in terms of time and space complexity, to find all the zeroes of f . We are specifically interested in the said problem in the McEliece context. The efficiency of the root finding algorithms is a problem that we study in code-based cryptography. McEliece-type cryptosystems are often based on binary Goppa codes (presented in Appendix B). Their decryption algorithm employs an algebraic decoding process to recover the original message from the cyphertext. The most time-consuming stage, in the implementation of algebraic decoding of binary Goppa codes, with practical parameters, is the root finding of the error locating polynomial. This polynomial fulfills the above mentioned properties.

In this article, we consider an n-lenght binary Goppa code that corrects up to t errors (the algorithm used is given in Appendix B). Let us recall, in practice, parameters are chosen such that: n = 2m and mt ≤ n. Decryption Complexity Theoretical Complexity = number of arithmetic operations in F2m required to decrypt in the worst case. – Syndrome computation O(nt) – Key equation solving O(t2 ) – Error locator polynomial root finding • BTA O(mt2 ) • Chien search O(nt) Experimental Complexity = average running time for the decryption. We give below the percentage of the total time spent in each stage of the decryption algorithm. – Syndrome computation 11.3% – Key equation solving 12.0% – Error locator polynomial root finding • BTA 72.1% • Chien search 85.6% 1 – Other tasks 4.6% Asymptotically, syndrome computation is the leading cost. For recommended parameters (i.e. m = 11, t = 32), the most time-consuming step in the decryption (decoding) consists in finding roots of σe . Differences that can appear between theoretical and experimental complexities would be due to several reasons: – tweaks of implementation (quality of implementation, used processors and compilers); – cost of conditional tests and memory accesses (that are neglected in our theoretical study but that can be noteworthy in practice); – not so good approximations (e.g. we approximate the cost of an inversion of a binary matrix of order m to m2 field operations, we thus overlook a small multiplicative constant); 1

The percentages given are associated with BTA, if we take Chien search, the numbers for syndrome computation and key equation solving should vary accordingly.

– weighting2 of arithmetic operations in the field.

3

Related Works

Several approaches toward root finding in characteristic 2 are possible, their efficiency depends on the size of the parameters m and t. – Chien search (described in Appendix C) computes roots by evaluating artfully the polynomial in all points of L. This method is recommended for hardware implementations and coding theory applications in which m is small. – BTA is a recursive algorithm using trace function properties. It is a faster method for secure parameters for McEliece-type cryptosystems. – Equal-degree factorization is an algorithm of Cantor and Zassenhaus [vzGG03, Chapter 14]. Its scope is more general but under some adaptations, it enables to find roots of polynomials in characteristic 2 (this specific case is treated in Exercise 14.16 in [vzGG03]). Then it has similarities with BTA (use of trace function, computations of gcds and a recursive structure) but seems slightly more expensive. Its time complexity is O((m + log t) t2 log t) operations in F2m . – Zinoviev procedures are dedicated to root finding for polynomials of degree less than 10. For m ≥ 11, they are (theoretically at least) more efficient than Chien search. We present below the overview of BTA and Zinoviev procedures that we employ to consummate our proposal. 3.1

Berlekamp Trace Algorithm (1971)

We define the Trace function as Tr(·) : F2m → F2 2

Tr(z) := z + z 2 + z 2 + . . . + z 2

m−1

.

2m

Tr(·) is a F2 -linear mapping and we know that: z −z = Tr(z)·(Tr(z)−1). The Trace function has the following property: Y Tr(z) − i = (z − γ), ∀i ∈ F2 . γ s.t. Tr(γ)=i 2

In our study, we distinguish two cases: in the first one, addition and multiplication both cost one operation in F2m , we denote it K(+) = K(×) = 1 where K is the cost function of an arithmetic operation, in the second one, K(+) = 1 and K(×) = m.

Let B = (β1 , . . . , βm ) be a basis of F2m over F2 . Every element α ∈ F2m is uniquely represented by the binary m-tuple (Tr(β1 · α), . . . , Tr(βm · α)). m

BTA splits any f ∈ F2m [z], such that f (z)|(z 2 −z), into linear factors by computing iteratively on β ∈ B and recursively on f : g(z) := gcd(f (z), Tr(β · z)) and h(z) :=

f (z) = gcd(f (z), Tr(β · z) − 1). g(z)

First call: f = σe and β = β1 . BTA always successfully returns the linear factors of f due to the properties of the trace given above. More details on BTA can be found in [Ber71] and [MvOV88]. In practice, we precompute the polynomials Tr(βi · z) mod f (z), ∀i ∈ {0, . . . , m − 1}. The cost of this precomputation is O(mt2 ). We stress on the fact that it is not a negligible cost. Indeed, let us recall that BTA without precomputation has also a cost of O(mt2 ) operations over F2m . 3.2

Zinoviev Procedures (1996)

Zinoviev methods [Zin96] find the monic affine multiple of smallest degree of any polynomial f of degree d ≤ 10 over F2m . At step i ≥ 0, we compute a multiple of f of degree 2dlog2 de+i and we try to decimate the non-linear terms by solving a homogeneous system of linear equations. If the system has no solution, we go up step i + 1. Besides, an algorithm proposed by Berlekamp, Rumsey and Solomon in [BRS67] ensures to find an affine multiple of degree 2d−1 and thus guarantee Zinoviev methods terminate, in the worst case, at step d − 1 − dlog2 de. After that, finding roots of an affine polynomial is easier than in the general case (see Appendix D). For this, we only have to solve a linear system of order m over F2 . Then, we have to determine the roots of f , among the roots of the affine polynomial we have found. We just evaluate f in those points to do so. Consider q is a prime power and m is a positive integer. Let us give the useful definitions: Definition 1. An affine polynomial has the form: A(z) = L(z) + c where L is a linearized polynomial over Fqm and c ∈ Fqm .

Definition 2. A linearized polynomial over Fqm is a polynomial of the form: n X i L(z) = li · z q . i=0

with li ∈ Fqm and ln = 1. In our case, q = 2. The Trace polynomial is an example of linearized polynomial.

4 4.1

Our Proposal Speed up McEliece Decryption

The drawback of BTA is the large number of recursive calls when the system parameters grow. We reduce it by mixing BTA and Zinoviev procedures that are ad-hoc methods for finding roots of polynomials of degree ≤ 10. This is a classical technique employed to decrease the number of recursive levels, e.g. the well-known Quicksort algorithm is optimized with analagous methods. We call this process BTZ (Berlekamp Trace Zinoviev) in the scope of this document. BTZ depends on a parameter dmax that is the maximum degree up to which we use Zinoviev methods. We give two pseudocodes of BTZ in Appendix F. 4.2

Implementation Tweaks

In our implementation, we use a polynomial basis to represent the field elements. We implemented Zinoviev procedures with time-memory tradeoffs for polynomials of degree 2 and 3, that enable to perform better than with the original procedures. We explain these new methods and give their complexities in the following. Time-Memory Tradeoff for Degree 2. We want to solve the equation: z 2 + az + b = 0 for a, b ∈ F2m . If the solutions exist, we denote them z1 and z2 . First, we make a change of variable. We set z = ax. We obtain the equation x2 + x + b/a2 = 0. It costs one division and one squaring in F2m . Let i be an element of F2m and fi be the mapping: fi : F2m → F2m x 7→ x2 + x + i

The equation fi (x) = 0 has two solutions in F2m if and only if Tr(i) = 0 (a proof is given in [BRS67]), else this equation has no solution in F2m . Let T be a table containing elements of F2m . ( T [i] =

j ∅

if j 2 + j = i if Tr(i) = 1

In other words, T [i] contains one of the two elements of the kernel of fi , if i is in the image of x 7→ x2 + x. Note that j + 1 is the second element of this kernel. Now, we read from the table, the element T [b/a2 ]. We invert the change of variable by computing: z1 = ab. Then, we compute the second solution: z2 = ab + a. This process costs one multiplication and one addition in F2m . Thus, we have solved our problem within four operations in F2m with a memory of 2m field elements. It is useful for small m. Time-Memory Tradeoff for Degree 3. In this case, the equation to solve is: z 3 + az 2 + bz + c = 0 where a, b, c ∈ F2m . We obtain an affine multiple of degree 4 by multiplying the polynomial by z + a. It costs two multiplications, one squaring and two additions in F2m . The substitution p z = (a2 + b)x (m − 1 repeated squarings3 ) and a normalization (two divisions) enable to obtain an equation of the form: x4 + x2 + dx = e, with d, e ∈ F2m . Let us denote f the mapping x 7→ x4 + x2 + dx. By construction a is a root of f (x) = e, we want to find the other three. The mapping f has a kernel of dimension two (except if d = 0, in this case, the dimension is one). We have only to store two elements which form a basis of the kernel of x 7→ x4 + x2 + dx in a table for all d ∈ F2m . This requires a storage memory of 2 × 2m field elements. Notice, this step does not depend on the coefficient e. Let us call the lookup table T and the two elements stored in the table for a given d: λ1 and λ2 . Then, we have T [d] = (λ1 , λ2 ). As f is linear, the three other roots of f are: a+λ1 , a+λ2 and a + λ1 + λ2 . We obtain them with three additions. Lastly, we invert the substitution (three multiplications) and thus the problem is solved. Here, we used the fact that we know that a is a root of f to find the other ones. We cannot use anymore this extra information for polynomials of degree 4 onwards. 3

Let us mention that one addition and one multiplication with a constant, are enough using the method proposed in [Hub02]. We do not take it into account in Table 1.

4.3

How do we Compute Theoretical Complexity?

We will not give here the complexity recurrence formula, that we use to compute the number of operations required to process BTZ for the sake of clarity. Instead, we prefer to explain how we obtain it. About BTA. The polynomials with which we deal in BTA are monic, without multiple root and can be factorized into linear factors over F2m . These polynomials form a set P. Such polynomials ¡ m ¢of degree d are entirely determined by their d roots. Hence, there are 2d such polynomials. Moreover, we know that for all β ∈ B, a F2 -basis of F2m , half of the elements of F2m have Tr(β·z) = 0 and that for the other half, Tr(β·z) = 1. For each step of Algorithm 2 (see Appendix F), we compute the gcd of a polynomial with Tr(β · z). The polynomial that we obtain contains the roots, such that Tr(β · z) = 0. We then make a Euclidean division that gives us another polynomial of degree d − i, which contains the roots, such that Tr(β · z) = 1. When we compute the theoretical complexity of BTZ, we compute the expected value of the number of operations in the worst case. Hence, we consider, for all i ∈ {0, · · · , d}, the probability P (d, m, i) that the polynomial of degree d breaks down into a couple of polynomials of degree i and d − i. That is, the gcd computation gives us a polynomial of degree i whose roots are among the elements of F2m , such that Tr(β · z) = 0. In the same manner, with the Euclidean division, we obtain a polynomial of degree d−i, while its roots are among the elements of F2m , such that Tr(β · z) = 1. We assume the input polynomial is chosen at random from a uniform distribution over P. Thus, we obtain: ¡2m−1 ¢ P (d, m, i) =

i

×

¡2m−1 ¢

¡2m ¢

d−i

.

d

About Zinoviev Procedures. In Table 1, we assume that all the arithmetic operations on the field have unitary cost and that one binary matrix inversion of order m costs m2 additions in F2m . Let Zd denote the Zinoviev procedure for degree d where d varies from 2 to 5. For d = 2 and d = 3, we consider two possibilities: with or without the time-memory tradeoff. When we use the tradeoff, the space complexity is exponential in m, that is, it is in the order of the size of the field i.e. 2m , up to a multiplicative constant factor. For greater degrees (6 ≤ d ≤ 10), the time complexity is O(m2 + dm + d2d ). It is exponential in d since in the worst case, the affine multiple has degree equal to 2d−1 . Therefore, in the last step of Zinoviev

procedures, we would have to evaluate the polynomial in 2d−1 points for finding its roots. This is a reason for which we do not use Zinoviev methods for higher degrees than 10. One observes, in Table 1, that the most expensive part of the Zinoviev procedures is the binary matrix inversion which enables to find the roots of the affine polynomial (see Section 3.2 for more details). Addition Mult. Division Squaring Matrix Inv. Total Cost Z2 precomput. m2 m2 0 m(m − 1) 1 4m2 − m Z2 w/o tradeoff m 1 1 1 0 m+3 Z2 w/ tradeoff 1 1 1 1 0 4 Z3 w/o tradeoff 2(m + 1) 3m 0 m 1 m2 + 6m + 2 Z3 w/ tradeoff 5 5 2 m 0 m + 12 Z4 2m + 9 3(m + 1) 8 m 1 m2 + 6m + 20 Z5 4m + 101 7m + 104 1 0 1 m2 + 11m + 206 Table 1. Number of operations over F2m in Zinoviev procedures

5

Simulation Results

In Table 2, we provide experimental data for finding the roots of a polynomial of degree t = 32 over F2m = F2048 . BTZd means that we use BTZ with dmax = d, for all suitable d. n = 2048, t = 32, m = 11 Chien BTA BTZ2 BTZ3 BTZ4 # CPU cycles root finding 3200 1300 900 800 800 per byte for decrypting 3700 1800 1400 1300 1300 percentage 4 syndrome computation 5 10 13 14 14 of time solving key equation 7 14 18 19 19 spent for root finding 87 72 65 61 60 Table 2. Experimental data for finding the roots of a polynomial of degree t = 32 over F2m = F2048 .

In Table 3, we present the theoretical number of field operations for correcting t = 32 errors of a n = 2048-length word over F211 using BTZ with dmax = 5 and time-memory tradeoff (see Section 4.2). For information, BTZ without the tradeoff gives very close theoretical results. 4

Remaining percentages correspond to other minor tasks.

n = 2048, t = 32, m = 11 Chien BTA BTZ2 BTZ3 BTZ4 BTZ5 BTZ6 K(+) = K(×) = 1 129k 16k 13k 11k 10k 10k 10k K(+) = 1, K(×) = m 764k 91k 65k 54k 50k 47k 48k Table 3. Theoretical number of field operations for correcting t = 32 errors of a n = 2048-length word over F211 using BTZ with dmax = 5 and time-memory tradeoff.

Let us depict the gain of BTZ over BTA and Chien procedure in terms of percentage of number of operations according to the parameter dmax and the polynomial degree t. The results (given in Figure 1 and Figure 2) take into account the time-memory tradeoff for degree 2 and 3. For the sake of readibility and relevance in cryptographic applications, we restrict to the case m = 11, K(×) = m, t ≤ 100 and dmax ≤ 6. Additionally, we present similar results for greater degrees in Appendix E. Nevertheless, we have also computed these results for m = 8, 11, 12, 13, 14, 15, 16, 20, 30, 40, K(×) = 1, t ≤ 300, dmax ≤ 10 and for both with and without the tradeoff. These data give the information that the higher is t, the higher is the optimal dmax . One can deduce from the two following graphs that for m = 11 and t = 32, the recommended theoretical value for dmax is 5. Indeed, we have a substantial gain of 46% over BTA and 93% over Chien method for this value of dmax . Acknowledgements: We would like to express our gratitude to our PhD advisor, Nicolas Sendrier, for his valuable help during this work.

55

gain of BTZ_d_max against BTA (%)

50 45 40 35 30 25 20 15

10

20 d_max=2

30

40

d_max=3

50 60 polynomial degree t d_max=4

70

d_max=5

80

90

100

d_max=6

Fig. 1. BTZdmax vs. BTA; m = 11; K(+) = 1; K(×) = m; with time-memory tradeoff

gain of BTZ_d_max against Chien method (%)

100

95

90

85

80

75

70

65

10

20 d_max=2

30 d_max=3

40

50 60 polynomial degree t d_max=4

70

d_max=5

80

90

100

d_max=6

Fig. 2. BTZdmax vs. Chien; m = 11; K(+) = 1; K(×) = m; with time-memory tradeoff

References [Ber71]

E. R. Berlekamp. Factoring polynomials over large finite fields. In SYMSAC ’71 - Proceedings of the second ACM symposium on Symbolic and algebraic manipulation, page 223, New York, USA, 1971. ACM. [BRS67] E. R. Berlekamp, H. Rumsey, and G. Solomon. On the solution of algebraic equations over finite fields. In Information and Control, volume 10, pages 553–564, June 1967. [BS08] Bhaskar Biswas and Nicolas Sendrier. McEliece cryptosystem implementation: Theory and Practice. In PQCrypto, pages 47–62, 2008. [Chi64] R. T. Chien. Cyclic decoding procedures for Bose-Chaudhuri-Hocquenghem codes. In IEEE Transactions on Information Theory, volume 10, pages 357– 363, 1964. [FTC03] S. Fedorenko, P. Trifonov, and E. Costa. Improved hybrid algorithm for finding roots of error-locator polynomials. In European Transactions on Telecommunications, volume 14, pages 411–416, 2003. [Gop70] V.D. Goppa. A new class of linear error-correcting codes. In Probl. Inform. Transm., volume 6, pages 207–212, 1970. [Hub02] K. Huber. Note on decoding binary Goppa codes. In Electronics Letters, volume 32, pages 102–103, August 2002. [LN96] Rudolf Lidl and Harald Niederreiter. Finite Fields (Encyclopedia of Mathematics and its Applications). Cambridge University Press, October 1996. [McE78] R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. Technical Report DSN 42-44, JPL, Pasadena, 1978. [MS83] F. J. Macwilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes (North-Holland Mathematical Library). North Holland, January 1983. [MvOV88] Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Some computational aspects of root finding in GF(q m ). In ISSAC, pages 259–270, 1988. [Pat75] N. Patterson. The algebraic decoding of Goppa codes. In Information Theory, IEEE Transactions on, volume 21, pages 203–207, 1975. [vzGG03] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge Univ. Press, 2003. [Zin96] V.A. Zinoviev. On the solution of equations of degree ≤ 10 over finite fields GF(2q ). In Rapport de recherche INRIA no 2829, 1996.

z

A

Description of Classical McEliece Cryptosystem (1978)

Public key: A binary linear [n,k] code C, i.e. a k-dimensional linear F2 -subspace of Fn2 , described by a generator matrix G. Private key: An efficient decoding algorithm for C up to the error correcting capacity t. Encryption: Map the k bits plaintext x to the codeword x.G, add e, an uniformly random error of length n and weight t to obtain the cyphertext y. Decryption: Correct the t errors, unmap to get the message. This process is also called decoding.

B

Description of Binary Goppa Codes (1970)

Let m > 0, n ≤ 2m and a = (a1 , ..., an ) ∈ Fn2 . The n-length binary Goppa code Γ (L, g) is defined by: – Support L = (α1 , ..., αn ) n-tuple of distinct elements of F2m ; – Goppa polynomial g(z) ∈ F2m [z], square-free, monic of degree t > 0 with no root in L. In practice, g is chosen irreducible over F2m and n = 2m . Γ (L, g) is a subfield subcode over F2 (i.e. the subcode that contains all the codewords whose coordinates are in F2 ) of a particular Goppa geometric code over the binary field F2m . We have a ∈ Γ (L, g) if and only if: Ra (z) :=

n X i=1

ai = 0 over F2m [z]/(g(z)). z − αi

Ra is called the syndrome of the word a. Note that Ra is F2 -linear in a. Binary Goppa codes have an error correction capacity of at least t errors. We present a polynomial-time algorithm for decoding these codes that corrects up to t errors.

Algebraic Decoding Algorithm Let e, x, y be n-length binary vectors. We have to find x, the sent codeword from y = x + e where y is the received word and e, the error word. Algebraic decoding is carried out in three steps: 1. Syndrome computation of the received word Ry (z) = Re (z) =

n X i=1

ei over F2m [z]/(g(z)). z − αi

2. Solving the key equation to obtain the error locator polynomial σe with the Patterson algorithm [Pat75]. Re (z) · σe (z) = σe0 (z) over F2m [z]/(g(z)). Notation: σe0 denotes the formal derivative of σe . 3. Error locator polynomial root finding σe (z) :=

n Y

(z − αi )ei ; ei 6= 0 ⇔ σe (αi ) = 0.

i=1

We stress on the fact that the degree of σe is also the Hamming weight of e, that is to say, the number of errors to correct. The algorithm can correct up to t errors so the degree of σe is less than or equal to t.

C

Description of Chien Procedure (1964)

Chien search is a recursive algorithm. It is a clever exhaustive search. Let f (x) = a0 + a1 · x + · · · + at · xt be a polynomial over F2m and let α be a generator of the multiplicative group F∗2m . t

f (αi ) = a0 + a1 · αi + · · · + at · (αi )

t

f (αi+1 ) = a0 + a1 · αi+1 + · · · + at · (αi+1 ) t

= a0 + a1 · αi · α + · · · + at · (αi ) · αt j

Set ai,j = aj (αi ) . It is easy to obtain f (αi+1 ) from f (αi ) since we P t have that ai+1,j = ai,j · αj . Moreover, if j=0 ai,j = 0, then αi is a root of f .

D

Finding Roots of an Affine Polynomial

P 2i Let us have an affine polynomial A(z) = L(z) + c = m−1 i=0 li · z + c. Consider (α1 , · · · , αm ) is a F2 -basis of F2m , (li )1≤i≤m , c and x are elements of F2m . Guess x = (x1 , · · · , xm ) is a root of A. Finding zeroes of an affine polynomial is equivalent to solving a linear system. Indeed, we have: A(x) = 0 ⇔ L(x) = c m m X X ⇔ xi · L(αi ) = ci · αi i=1

⇔

i=1

m X m X

xi li,j · αi =

i=1 j=1

E

(using linearity of L)

m X

ci · αi

(linear system in xi ).

i=1

BTZdmax vs. BTA for m = 11, 30 ≤ t ≤ 300

50

gain of BTZ_d_max against BTA (%)

45

40

35

30

25

20

15

50 d_max=5

100 d_max=6

150 200 polynomial degree t d_max=7

d_max=8

250

300

d_max=9

Fig. 3. BTZdmax vs. BTA; m = 11; K(+) = 1; K(×) = m; with time-memory tradeoff

F

Pseudocodes of BTZ

Some notations: – – – –

σe is the error locator polynomial of the error word e. dmax is the maximum degree up to which we use Zinoviev procedures. DZin is the set of degrees for which we apply Zinoviev procedures. (β1 , · · · , βm )=(α, α2 , · · · , αm ) is a fixed polynomial basis of F2m over F2 where α is a primitive element of F2m .

Algorithm 1 simplified BTZ without precomputation - BTZ(f, d, i) First call: f ← σe ; d ← dmax ∈ {2, . . . , 10}; i ← 1. if degree(f ) ≤ d then return ZINOVIEV(f, d); else g ← gcd(f, Tr(βi · z)); h ← f /g; return BTZ(g, d, i + 1) ∪ BTZ(h, d, i + 1); end if

Algorithm 2 BTZ with precomputation - BTZ(f, D, i) First call: f ← σe ; D ← DZin ⊂ {2, . . . , 10}; i ← 1. {precomputation phase} for 1 ≤ i ≤ m do Ti ← Tr(βi · z)) mod f ; end for i ← 1; {computation phase} if degree(f ) ∈ D then return ZINOVIEV(f, d); else T ← Ti mod f ; g ← gcd(f, T ); h ← f /g; i ← i + 1; return BTZ(g, d, T ) ∪ BTZ(h, d, T ); end if